I've looked through similar questions and read several articles on SAML 2.0 already, but I still can't make sense of SAML Auth Request.

I've implemented several SAML-based SSO solutions where my company is an IdP (identity provider). We've always been sending users from our website to third parties via SAML Response:

User logs into our website.

User clicks a special link on our website.

We prepare SAML Response XML.

We e-sign it with our private key.

Send it back to our user's browser as a hidden field in HTML form, along with "RelayState" parameter.

We auto-POST this form to the SP (service provider) URL.

That's it.

SAML 2.0 articles (for example, Wikipedia overview article on SAML 2.0) suggests that we're missing a step: "SAML Auth Request". It seems that the SP needs to initiate the SSO by first sending a "SAML Auth Request" to IdP (us), then we're supposed to respond to it with SAML Response.

How does SP decide when to initial the SSO? SP doesn't even know we're going to send a user their way. User is currently logged into OUR website and it is up to a user when to click that link, that would "magically" authenticate them in SP website.

Thank you!

P. S. I understand SAML 2.0 is the "established industry standard", but the more I work with it - the more I feel like it is an overkill. Because of its complexity there are a ton of different incompatible implementations (from my experience). Each time we're doing SSO with the new partner - it as a pain. Big companies are making a ton of money selling "out of the box" SAML solutions, which no one knows how to configure and troubleshoot properly, so people are almost forced to pay for expensive contractors to set it all up. Companies hope to be able to hire a low wage employees to support those overcomplicated SAML solutions. When setting up SSO with third parties I often deal with those people who have no clue what it is, they're just trained to click buttons and read the cryptic error messages to me over the phone. This is all due to SAML being over-engineered. But hey - there's a bright side: I get paid real good, because I understand SAML well enough to at least make it work. :)

Just to add, triggering IdP-initiated SSO is not really part of the standard, but that page Stefan linked explains what happens once it has been triggered. Most IdPs just have some sort of URL or redirect to do it -- the Shibboleth IdP has an endpoint for it, documented at: wiki.shibboleth.net/confluence/display/SHIB2/IdPUnsolicitedSSO
–
MartinSep 11 '14 at 2:34

What do you mean its not a part of the standard? its defined in the spec.
–
StefanSep 11 '14 at 13:02